What is a phishing scam

A phishing scam is when malicious emails target a company’s customers by pretending to be from a legitimate email address. They will typically use the company name, but with an extra word or character slipped in. Phishing scams can also show a legitimate email address, like message-service@post.xero.com, but really they’re spoofing it. The message is actually coming from an entirely different email address.

These emails are designed to trick you to enter your email and password that they can use to login to the original site or use your password for another site. Whenever you enter your username and password online you should check that you’re actually on the right site.

As online fraud continues to grow, we’ve put together some advice to help you stay safe online.

UPDATE FROM XERO

When this blog was originally posted, message-service@post.xero.com was used as an example of a phishing email. We would like to clarify. That is the email address we use for most of our legitimate communications to our customers. Thousands of legitimate emails are sent from this email every day. However, a recent phishing scam has been pretending to be from this email address.

This email has an attached .zip file which had malicious content. This email is pretending to be to be from our message-service@post.xero.com email address.

This is what makes dealing with phishing emails challenging, the spammers will be doing everything they can to make it look like a legitimate email. If the email looks impersonal, comes from an organization that you’re not familiar with, or contains a .zip file as an attachment, you may be dealing with spam. If you’ve received one, don’t open it – and if you do open it, don’t click any links or attachments. Delete the email. If you’re ever concerned you’ve received a phishing email that pretends to come from Xero please forward it to: phishing@xero.com.

Keeping you safe online is very important to Xero. We’re aware that there’s an increasing number of phishing scams targeting the customers of banks and large corporations.

How to avoid being phished

Don't click on any suspicious links

Always check the login link they provide in the email. Usually a quick look at the URL will tell you if something is off. Large companies and banks will have secured websites – this means their URL will say “https” instead of “http”. This is an important difference as it means you’re on a secure site. You can always skip the link and navigate to the login site on your own. That way you know you’re logging in to the correct site.

Verify the email

If you receive an email address prompting you to login or send personal details, always check the email address it’s coming from. Make sure it matches the other emails you’ve received from that company. This includes the wording in the email and any imagery used.

Reach out and ask

If all else fails, send the email to the customer service department of the company in question and ask if it is legitimate. Your vigilance could alert them to a problem affecting multiple customers. At Xero we have an email address set-up for just such events: phishing@xero.com. We will always verify if an email was from us.

If you think you’ve been phished for any site, login and change your passwords immediately. You should also contact the company to let them know your account may have been compromised. It’s better to let them know before any damage has been done.